| Age | Commit message (Collapse) | Author |
|---|
|
ok mikeb
|
|
measured exactly in user land. Use the new idle timeout for socket
splicing in the kernel to make it correct. Also do splicing with
http if relayd does not check headers.
ok mikeb
|
|
regardlessly of debugging mode and compile switch.
ok sthen@
|
|
ok pyr@ sthen@
|
|
the client closed before the connection to the server has been
established. Then the relay closed immediately before transferring
any data. The solution is to delay the close until the other side
has an event buffer.
ok sthen@
|
|
This is 200 milliseconds and too short. Instead use the 600 seconds
session timeout that is used for accepted sessions everywhere else.
While there, make flag handling in relay_ssl_transaction() consistent
to the other functions.
tested and ok sthen@
|
|
in the long term, i guess we should avoid documenting the number of
sections, since it's meaningless and is always in danger of going
out of date...
|
|
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).
Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.
|
|
from Martin Matuska in PR 6624
ok phessler@
|
|
|
|
|
|
directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
|
the show sessions handler by implementing it in an asynchronous way.
Closes PR 6509
ok pyr@
|
|
|
|
daemon infrastructure. The previous design made it fairly hard to
reload the complex data structures, especially relays and protocols.
One of the reasons was that the privsep'd relayd processes had two
ways of getting their configuration: 1) from memory after forking from
the parent process and 2) and (partially) via imsgs after reload. The
new implementation first forks the privsep'd children before the
parents loads the configuration and sends it via imsgs to them; so it
is only like 2) before. It is based on an approach that I first
implemented for iked(8) and I also fixed many bugs in the code.
Thanks to many testers including dlg@ sthen@ phessler@
ok pyr@ dlg@ sthen@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
functions that are based on work for iked and smtpd. This simplifies
the setup of privsep processes and moves some redundant and repeated
code to a single place - which is always good from a quality and
security point of view. The relayd version of proc.c is different to
the current version in iked because it uses 1:N communications between
processes, eg. a single parent process is talking to many forked relay
children while iked only needs 1:1 communications.
ok sthen@ pyr@
|
|
instead of static function names. __func__ is C99 and perfectly fine
to use. It also avoids printing errors; for example if a statement
log_debug("foo:"..) was moved or copied from function foo() to bar()
and the log message was not updated...
|
|
OK reyk@ claudio@ sthen@
|
|
"it's worth killing, if just to stop it being copied all over the place"
|
|
void pointer in struct ctl_relay_event. That way the compiler can
do its job and enforce correct types.
ok pyr@ deraadt@
|
|
others (HTTP will need a more complicated splicing mechanism to switch
between headers and bodies in userland and kernel). Add the "no
splice" flag for non-TCP relays by default to indicate it in the debug
and status output.
|
|
|
|
forwarding for plain tcp connections.
feedback and ok reyk@
|
|
|
|
ok mikeb@
|
|
server connection is set up, do not enable read events for the other
side.
|
|
the client to the server did always trigger the session timeout.
The reason for this behavior was that any read event reset the
client side timeout. A read event on one side must reset the timeout
for the other side instead.
ok deraadt@
|
|
than 'unknown'. Fixes a problem where the script is killed due to expiry
of the interval timer. ok pyr@ deraadt@
|
|
identify configuration issues.
ok sthen@ pyr@
|
|
ok pyr@
|
|
the needed bits
ok deraadt@, millert@
|
|
Fixes "Address already in use" errors seen on high load.
OK reyk@ pyr@
|
|
is const now, adjust the variable and silence a compiler warning.
|
|
resource limits to the maximum of the daemon class but the host check
process (hce/health checks) didn't and was limited to a fairly low
default of 128 open sockets (openfiles-cur=128 in login.conf). This
was reached fairly quickly with "check tcp" of many hosts. This diff
increases the maximum number of monitored hosts and concurrent health
checks in relayd in a significant way and may fix issues for people
that have around 100 or more hosts (or fewer hosts with multiple checked
ports).
tested by phessler@
ok jsg@
|
|
to zero, consistent with pfe and makes other parts of the code better
behaved. From Patrik Lundin.
ok reyk@
|
|
From Patrik Lundin and Linus Widstromer.
ok reyk@
|
|
|
|
some cases it is desired to load the rules as "match in" without "quick"
to allow additional filtering or applying additional rule/state options,
eg. to add an overload table for DOS mitigation. Add the optional "match"
keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
|
|
|
|
ok claudio@, jsg@, phessler@
|
|
(verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
|
|
|
inherited from the table definition even though these values could
not be changed there. While there fix a memory leak in a rather strange
case.
OK phessler, jsg, pyr, sthen, deraadt
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
Seems reasonable to jsg, ok phessler, no response from reyk or pyr
|
|
Minor bump for libutil.
Previous versions of this diff and man page looked at by various people.
"you should just commit" deraadt
|
|
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE.
ok henning gilles claudio jacekm deraadt
|
|
more readable, and fixes a spacing bug we had in smtpd.8;
|
|
and "server".
fixes for bgplg(8) and relayd.conf(5) suggested by jmc@, good catch!
ok jmc@
|
